Cybersecurity Costs: Not Just About the Money
Cybersecurity tools that protect credit unions from data breaches and fraud incidents can be pricey, but experts argued the costs far outweigh the professional and financial risks posed to credit unions that don't protect themselves.
When it comes the valuation of cyberattacks, many security experts draw from the “2017 Cost of Data Breach Study,” sponsored by IBM Security and conducted by Ponemon Institute, which estimated the average total cost of a data breach at $3.62 million and the average cost for each affected record at $225. Heavily regulated industries such as financial services had a higher per record cost ($336) than the overall mean.
For credit unions, the biggest cost associated with breaches comes from the cost per record, Stephen Gilmour, manager, technical product management at Symitar, a division of the Monett, Mo.-based Jack Henry & Associates, noted. “Remember that a credit union doesn't usually have just one type of record per member, but often multiple records for each member, such as credit cards, Social Security numbers, driver's licenses and other PII data.”
For credit unions betting a breach will never happen at their organization, Gilmour explained the odds of a lightning strike are one in 960,000, yet the odds of a data breach are as high as one in four, according to the IBM/Ponemon study.
Samantha Amburgey, chief information officer for the $3.8 billion, Lansing, Mich.-based Michigan State University Federal Credit Union, a Symitar core client, said, “Costs will vary with the size of the threat, attack or incident.” She mentioned other factors include wages for internal resources in information technology, internal audit and risk management; internal and external communications; and member support areas.
Amburgey explained following a data breach or similar incident, there's also the cost of external resources, which can include consultants, information security support and forensics, legal fees, insurance deductibles, possible premium increases and identify theft protection costs for members. Plus, there's the cost of lost business, containing the issue, reputation and brand management, and employees helping members with the situation instead of opening new products.
Amburgey said, “At MSUFCU, we estimate that our information security program pays for itself by preventing many security incidents per year. An institution takes on more and a greater magnitude of risk by choosing to not protect themselves.”
Paul Love, chief information security officer for the Rancho Cucamonga, Calif.-based CO-OP Financial Services, advised, “A credit union will eventually have to implement security. Delaying the costs of implementation only increases them, as security then has to be retrofitted.” Love explained a well-designed and implemented security program costs far less than even one breach.
Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said, “As we get more data and more technologies that store, collect and transmit that data, and more people and entities that touch that data in some way, the costs become greater. And the crooks are finding more value in such data as time goes on.”
She added, “Any financial organization that chooses to save what in the scheme of things is truly a comparatively small amount of money by not investing in and implementing information security and privacy controls, are not only leaving their members/customers at great, and unnecessary, risk, they are also derelict in meeting their obligations to protect the assets of their members/customers.”
Love held in addition to suffering reputational harm, there is often a push to implement corrective security and/or fraud controls and processes quickly after a breach, often disrupting business processes and strategy. “If a credit union builds security and fraud prevention into its processes, the blow is minimized and the credit union can move to a continuous improvement model.”
“There isn't a single point of failure necessarily when it comes to potential data breaches,” Steve Comer, financial services sales manager at the Westlake, Ohio-based Hyland, said.
However, there's a significant investment needed to protect all susceptible pieces. “That could be both a hardware and software investment as well as a personnel investment,” he said.
The size of an organization is not related to the risk level. “I don't think vulnerability necessarily has a scale. Customer data, member data, card data – anywhere it is retained there is vulnerability,” Comer maintained. “Even the smaller organizations now are making investments in personnel or establishing those types of departments to make sure everything is buttoned up.”
Credit unions also deal with fraud fallout from breaches. Tom Donlea, vice president of global marketing for the Seattle-based identity data firm Whitepages Pro, estimated credit unions will experience a 25% to 30% increase in fraudulent loan applications due to the recent exposure of identity data through breaches. That comes out to some $2 billion from records exposed in the first half of 2017 alone.
“Although it is difficult to estimate the dollar losses an individual credit union may experience, it is safe to say they all must be more sophisticated in their fraud checks than simply looking at ‘the core four’ of name, address, date of birth and Social Security number. These are all readily available for experienced fraudsters,” Donlea stated. He suggested credit unions perform more sophisticated fraud checks, such as determining if identity elements match the profile of the applicant: Phone to name, email to name and address to name, for example.
Brian Laing, chief revenue officer at the Redwood City, Calif.-based Lastline, said, “The costs of fraud are enormous to any institution and far exceed the simple loss associated with the fraudulent transaction.” He added the Ponemon survey found in 78% of attacks, money left the institution before the attack's discovery.
Laing noted the initial fraud loss, ranging from $1,000 to more than $1 million, is part of the cost, but additional expenses can be significant. He said credit unions must add additional staff member and management hours for investigation and remediation, and the resulting loss in overall productivity; legal costs associated with contract reviews and potential litigation; the decline in member trust and subsequent member churn; and brand and reputation erosion.
For smaller credit unions, cybersecurity costs may present a quandary, especially when compared to a potential remediation bill. “The smaller a credit union is, the more likely its IT group is outsourced,” Gene Fredriksen, chief security strategist for the St. Petersburg, Fla.-based PSCU, said. So, a breach of its onsite computers, or call or data center is not as likely. “However, the probability of a breach through phishing, pretext calling or social engineering is very high.”
Fredriksen observed while there are a number of costs resulting from a breach, the price tag jumps considerably when one factors in legal and research costs. “If you hire a forensic firm of any size to do an analysis, you are easily into the six-figure range without blinking an eye. Probably on the legal costs, you are into that same amount.”
Dave Stafford, PSCU's chief information officer, mentioned some immeasurable financial and reputational losses. “You lose member trust and you lose potential future member acquisition. You have the possibility of the credit union's card slipping to second place [in a mobile wallet]. It is very difficult to measure those intangibles.”
Stafford also emphasized the importance of credit unions understanding the security within their third-party relationships. “They have to have a pretty comprehensive program for vetting those companies, and making sure they’re following information security policies and best practices.”
Fredriksen added credit unions should not outsource any processing without knowing exactly where their data is going. “There's an old saying in security that you can delegate processing but you can't abdicate your responsibility to protect your members’ data.”